C-level executives at some of America’s largest companies unanimously declared themselves "cybersecurity literate" in a recent survey, despite only a third saying the same of their board overall.
The surprising result – which will invite incredulity from some industry watchers – comes shortly after the worst year for cyberattacks on record in 2014, which saw cybersecurity climb up the corporate agenda and funding for start-ups shoot up.
Dwayne Melançon, chief technology officer for security vendor Tripwire, which conducted the survey, said: "There’s a big difference between cybersecurity awareness and cybersecurity literacy."If the vast majority of executives were really literate about cybersecurity risks, then spear phishing wouldn’t work.
"I think these results are indicative of the growing awareness that the risks connected with cybersecurity are business critical, but it would appear the executives either don’t understand how much they have to learn about cybersecurity, or they don’t want to admit that they that they don’t understand the business impact of these risks.
Outside of the executive board the survey data showed that there were considerable discrepancies between how top decision makers might view things compared to their IT staff, a third of whom rated the board as only "marginally literate" on cybersecurity matters.
"The people closest to the work are most impacted by external security events that require a response," said Tim Erlin, director of IT risk and security strategy at Tripwire.
"IT professionals had to sit up, pay attention and apply patches for Heartbleed, even if they weren’t under active attack. There weren’t a lot of C-level executives who spent the weekend running Heartbleed scans."
The study, which interviewed staff of American companies with yearly revenues exceeding $5bn (£3.3bn), also showed that only two-thirds of C-level executives trusted the tools used to display cyber-risks to their board.
Other figures revealed that internal breaches were far more likely to raise awareness of cybersecurity than media coverage of big attacks, with roughly a third of C-level and non C-level executives citing them as having the "biggest impact" on the board’s awareness, compared to around 10% who said the same of the Snowden leaks.
